[To politech {AT} vorlon.mit.edu and on and on and on...-T]
---------- Forwarded message ----------
Date: Tue, 23 Jun 98 06:24:55 -0500
From: David Hakala <dhakala {AT} cyberweek.com>
To: Declan McCullagh <declan {AT} well.com>
Subject: Some light reading for you
-- [ From: David Hakala * EMC.Ver #2.5.02 ] --
"Privacy on the Line: The Politics of Wiretapping and Encryption"
by Whitfield Diffie and Susan Landau
Reviewed by: Stewart Baker
I wasn't sure I would like this book, but I knew I had to read it. It's the
story of my life---the last several years, anyway.
In the early 1990s, I was the general counsel of the National Security
Agency
(NSA), a job that required me among other things to sell key escrow
encryption and the Clipper Chip to the Clinton Administration (mission
accomplished) and to the rest of the country (er, the less said about that,
the better). I had the chance, too, to work closely with the Federal Bureau
of Investigation (FBI), especially on the problem of how to conduct wiretaps
in a new and far more demanding environment.
One of the surprising results of breaking up AT&T was to create a slow-
motion crisis for law enforcement. So long as communications were
controlled by one company---with a heavy stake in demonstrating its good
citizenship---planning for and providing wiretap access was easy. AT&T knew
what the FBI needed, and it could build those requirements into its products
, passing the cost along to consumers. But deregulation put a premium on
getting to market quickly, reducing overhead, and building lightweight
innovative products. Law enforcement wasn't the customer, and it was
increasingly left behind in the explosion of new products and services.
Often, law enforcement didn't have the technical expertise or the funds to
adapt to the new technologies; and sometimes even expertise and money
weren't enough.
After several years of trying to jawbone industry into compliance with its
requirements, the FBI decided in the early 1990s that it needed a big
stick, it needed a law. The law would not try to sort out all the technical
problems that industry said were preventing wiretaps. It would solve the
problem by fiat, simply requiring that all telecommunications carriers and
manufacturers
design wiretap capabilities into all their products and services.
Privacy advocates were horrified. The press was hostile. Industry jeered.
Not one member of Congress could be found who would introduce the FBI's bill
..
The FBI, however, never gave up. They showed up for every debate, they
mobilized local police, they lobbied Congress relentlessly.
Three years later, the Senate passed the Communications Assistance to Law
Enforcement Act (CALEA), with the FBI's requirement, by a voice vote of 98-0
..
That was round one. Round two, for the FBI, is encryption. Most of the
computer software and hardware industry sat out the fight over CALEA, and
those companies haven't grasped how much the CALEA debate shaped the FBI's
view of encryption.
Thanks to CALEA, the FBI is undaunted by the technical complexity of
building key recovery into encryption, or by the claims of industry that it
can't be done. They heard the same thing from telecommunications companies-
--all of whom are now building wiretap capabilities into their products.
And thanks to CALEA, the FBI is not too troubled by the bad press it's
getting over encryption, or by the privacy and industry complaints---or even
by the Congressional harrumphing. They've heard all that before, too. In
the CALEA
debate, it was patience that paid off; and, in the end, the Bureau believes
that
Congress will have to mandate crypto controls just as it had to mandate
wiretap requirements.
Since leaving government, I've advised dozens of companies on how to live
not
just with encryption controls and key recovery, but also CALEA. I've
started to joke that my law practice consists of being the first lawyer to
discover that the country's main technology and telecommunications
regulatory body is the Federal Bureau of Investigation.
So any book that deals with the politics of wiretapping and encryption is
hard to resist. If I took it to the beach to read, I could probably deduct
the trip.
Still, I had my doubts. Whitfield Diffie is a famous cryptographer, of
course, but I knew him first as NSA's single most determined and effective
opponent. I can't defend every aspect of the government's current policies
on
encryption and wiretapping, but I still have a deep reservoir of sympathy
for that point of view. Wiretapping is an important criminal investigation
tool, particularly when law enforcement is targeting the leaders of
organized crime, who usually don't commit crimes so much as order them
committed. There is no doubt that a wired society needs ubiquitous
encryption; but it's equally true that ubiquitous encryption will give wired
criminals new protections from the law.
That's why I still bridle at too-simplistic Silicon Valley retorts to law
enforcement concerns---especially those that run along the lines of, ``We're
smart. We're rich. They're not. We win.'' I wasn't looking forward to
reading a self-congratulatory book about clueless cops being outsmarted by
liberty-loving technologists.
To my surprise, that's not what Diffie and Landau have written. They've
produced something quieter and more useful. Like a handful of others
(mostly professional privacy advocates and FBI officials) they see the
entire picture---something the high-tech industry has so far only seen in
bits and pieces. Ready or not, the FBI is determined to force us all into a
debate over how and whether we will shape the direction of technological
change.
This book draws together the elements of that story in a fashion that is
scholarly, though it's too well written to deserve that adjective. Diffie
and Landau don't quite popularize the issue---this is still a book only a
policy wonk could love---but they ease the reader gracefully into some
remarkably complex material as though it were a warm bath.
The book begins with an admirably simple introduction to cryptography that
carries the reader deep into the topic. I have to confess that I never
knew how "S-boxes'' got their name until I worked my way through Diffie and
Landau's description of the Digital Encryption Standard and its historical
debt to Vingenere ciphers. (I told you this was a wonk's book.) The
authors next
march the reader through a history of crypto policy, laying out the
interests of
the National Security Agency, the public cryptography movement, law
enforcement, the National Institute of Standards and Technology, and privacy
advocates.
With the groundwork laid, the book then plunges into wiretapping, its
history, value, and abuses. It sketches the FBI's five-year fight to enact
CALEA.
The closing chapter traces the evolution of the encryption debate from a
fight between the software industry and the NSA into a fight that pits the
FBI against the likes of Americans for Tax Reform and the National
Association of Manufacturers.
Throughout this tour, there isn't any doubt where the authors' sympathies
lie. They linger almost lovingly over thirty- and forty-year-old stories of
how
the FBI once abused its wiretap authority. They insist on a long and not
entirely persuasive discussion of why wiretaps aren't that useful to law
enforcement. Government arguments tend to get much shorter shrift than civil
libertarian rebuttals. But it is perhaps a sign of how bitter the
encryption battle has become that Diffie and Landau deserve credit for
including the government's arguments at all.
They deserve praise as well for avoiding dishonest arguments that support
their point of view. Not everyone in this debate is so careful. Lawyers
for industry, for example, can still be heard to argue that there's no need
for encryption controls because the FBI hasn't offered evidence that it has
lost any cases because of good crypto. Of course this is the kind of Catch-
22 argument that is hard to resist because the lawyers know it can't lose.
If the FBI found a way to read the files, then the industry lawyers can say
"See, crypto wasn't a problem.'' And, if the FBI is truly stymied and can't
read the files, then the lawyers can say either "The defendant was acquitted
, and there's >no proof the encrypted files were related to a crime,'' or
"The defendant was convicted, so the FBI didn't need to decrypt the files.
'' Unlike some of their allies, Diffie and Landau never insult our
intelligence.
In short, it's hard to imagine a better introduction to an issue that will
be with us for years to come.
[Published in Notices of the AMS, Volume 45, Number 6, at 709 (June/July
1998)]
--
David Hakala
Denver, Colorado USA
dhakala {AT} cyberweek.com
303-755-6985
[footers bumped]
---
# distributed via nettime-l : no commercial use without permission
# <nettime> is a closed moderated mailinglist for net criticism,
# collaborative text filtering and cultural politics of the nets
# more info: majordomo {AT} desk.nl and "info nettime-l" in the msg body
# URL: http://www.desk.nl/~nettime/ contact: nettime-owner {AT} desk.nl